Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • May 05 20:23
    pdause commented #1533
  • Apr 16 17:34
    caeril opened #1533
  • Apr 04 11:42
    alexgeek commented #1528
  • Apr 03 16:19
    alexgeek commented #1528
  • Apr 03 16:19
    alexgeek commented #1528
  • Mar 30 19:15
    bejayoharen opened #1532
  • Mar 27 16:47
    notzippy closed #1531
  • Mar 27 16:47
    notzippy commented #1531
  • Mar 27 16:46
    notzippy closed #1528
  • Mar 27 16:46
    notzippy commented #1528
  • Mar 27 16:39
    notzippy closed #1529
  • Mar 25 23:02
    Dmdv opened #1531
  • Mar 24 12:19
    jsdecena commented #1528
  • Mar 24 08:48
    ptman commented #1528
  • Mar 24 02:06
    jsdecena commented #1528
  • Mar 12 20:02
    notzippy commented #1373
  • Mar 12 19:36
    parochi commented #1373
  • Mar 10 18:11
    harekumar commented #1528
  • Mar 07 14:32
    Zykatious closed #1530
  • Mar 07 14:32
    Zykatious commented #1530
Eric Moon
@ericmoon
@ptman:kapsi.fi nope, same error.
Erin L Ptáček
@boboTjones

@boboTjones: did you try the devel branch? https://github.com/revel/examples/commits/develop

I have not. Next time I need to write a CTF, I'll check it out.

Caeril the Cowardly
@caeril
Sorry, bizarre question. Normally we use BindJson() to grab api POST data. But there's a third party calling our api and we have no idea what they're posting to us such that we need to grab the RAW body data for a few requests to figure it out. That said, everything in c.Request.GetBody() is blank. We need to see the body for just a few requests then we'll go back to doing it the right way again, promise :)
Paul
@ptman:kapsi.fi
[m]
is it the same action?
BindJson() consumes the io.Reader
Caeril the Cowardly
@caeril
Yes, it's the same action. We're not pre-consuming it with BindJSON() - we've taken it out so we can just get the raw data with ioutil.ReadAll(c.Request.GetBody(), but it always returns blank
Caeril the Cowardly
@caeril
We got it! Looks like the ParamsFilter reads the body anytime json appears in the content-type, whether you call BindJson() or not. We stuck a filter ahead of ParamsFilter and we can see the raw data!
Paul
@ptman:kapsi.fi
[m]
great
Sepehr Aryani
@sepisoad
is there a way to debug revel tests, or start a revel server in debug mode and run tests against the running server?
and by debug I mean through a real debugger (e.g. delve) not fmt.Println
Paul
@ptman:kapsi.fi
[m]
delve is a hack
go and "real debugger" is a weird combination
try to isolate your issue and write a small program to debug
Caeril the Cowardly
@caeril
Ok, now we have another issue. Revel is setting the FLASH cookie on every response. This is fine, except for static content (e.g. everything in the /public directory). Is there any known way of getting Revel to NOT set cookies at all on static content?
Caeril the Cowardly
@caeril
Welp, filters to the rescue again!
Disregard!
Erin L Ptáček
@boboTjones
Hey I have a suggestion, if you want to make revel different from other web frameworks: come up with a mechanism that forces developers to create validation schemas for the parameters used in request handlers. Some kind of registry of required and optional parameters. Maybe put that validation step in between the session check and calling the request handler.
I've worked with lots of frameworks in my career and absolutely none of them do this, and because of that, user controlled input is still the Achilles' heel of web apps.
Bonus, the code that dumps the route map can also dump the parameters templates. This could be used for unit testing.
*routes map
Thanks in advance XD
Erin L Ptáček
@boboTjones
Oh, another argument in favor of parameter validation earlier rather than later -- why do all the work of starting to build the response and then discard all of that work if foo != bar
Obviously, that's over simplified. But I've just audited an app that checks the same parameter 4 times while routing a request object through 3 helpers and then punts the request back with a 403. For a small app, that's not a big deal, but for an app handling 100K+ requests per second, intuitively that seems like a waste of resources and cloud billable time.
Erin L Ptáček
@boboTjones
And possibly I will regret this, but I volunteer.
Tim Goddard
@pruby
I don't want to tell anyone else how to build their framework, but I'd second that the above is, in principle, a very good idea. See for example how .Net MVC applications often have a request object and response object from endpoints. My job is security testing, and I can tell you definitively that forcing input to conform to a schema, in that case by safely deserialising it to a well-defined type, takes a significant axe to certain types of security issues.
You could do this, for example, by using a type with some annotations along the lines of "take this from the body, this from parameter X, etc", and populating an instance of that type before the endpoint is even called.
Of course, you can already do that with the JSON body at least.
.Net calls these "Data Transfer Objects"
Erin L Ptáček
@boboTjones
That's why I brought it up. I'm tired of being an input validation janitor.
Mitsutaka Kato
@mikyk10
Hi there, is there any plan to accept/merge PRs to develop? I am willing to fix my PR if there's a problem.
Paul
@ptman:kapsi.fi
[m]
afaik yes, but notzippy and brendensoares are somewhat busy
Steve
@notzippy
Currently go1.16 is causing issues, im looking into fixing that atm
Will be happy to accept PR's as well
Paul
@ptman:kapsi.fi
[m]
notzippy, what's the problem with go1.16? I didn't notice anything yet
Steve
@notzippy
@ptman:kapsi.fi tracking it here, I just went through the steps of creating a new app and got the same error revel/revel#1528
Paul
@ptman:kapsi.fi
[m]
thanks
shadtaylor
@shadtaylor
so how is everyone auto starting the revel application on a webserver? if you reboot or shutdown the machine for maintenance you have to remember to revel run everytime? Is there a built in setting I am missing or do I have to create a startup .sh?
Paul
@ptman:kapsi.fi
[m]
systemd
and I run revel in docker as well
or the revel based app, to be more accurate
shadtaylor
@shadtaylor
k, I will try the systemd service route, as I have seen this method, just making sure I wasn't missing something
Brenden Soares
@brendensoares
I always ran it manually lol
not ideal
and prod env it's ideal to statically compile and run it
Paul
@ptman:kapsi.fi
[m]
shadtaylor, have some service manager look after it
Brenden Soares
@brendensoares
but there are many options and opinions
Paul
@ptman:kapsi.fi
[m]
whichever one you prefer
docker can autostart
systemd can autostart